Existing defenses in federated learning struggle to mitigate backdoor attacks triggered by hardware faults. This work presents the first task-agnostic, highly efficient backdoor attack that integrates hardware-induced bit flips—such as those from Rowhammer—with federated model adaptation. The method constructs a stealthy poisoning chain during an offline phase using a pre-trained model and requires injecting only a minimal number of bit flips into a single local model (e.g., at most 10 flips per injection, totaling 19 across all layers in ResNet-18). Despite this extreme sparsity, the attack achieves up to 94% success rate during training, demonstrating remarkable efficiency, stealthiness, and generalizability across tasks and models.

Federated Learning (FL) allows a set of clients to collectively train a global model without sharing local training data. Giving the responsibility of the training to decentralized actors may lead to poisoning attacks: clients controlled by malicious third party potentially poison the training dataset to install a backdoor in neural networks. In FL, these backdoor attacks rely solely on algorithmic approach, however, recent advances in hardware faults threats (e.g, Rowhammer) have widen the overall attack surface. In the context of federated model adaptation, we introduce a novel category of backdoor attack against FL systems that relies on model poisoning based on hardware-fault attacks. More precisely, we propose a task-agnostic backdoor attack that is implanted during the FL training time by inducing hardware faults (bit-flips) in parameters of a single local model. The backdoor is crafted during a previous offline phase from the pretrained model initially used by the FL system. Our results show that a backdoor can be successfully applied on different type of models and datasets. Typically, with up to 10 faults per malicious client occurrence and 19 total occurrences on a ResNet-18 are enough to reach 94% of attack success rate. Finally, we discuss the practicality and the robustness of the attack potential defenses, while putting into perspective the practical constraints of Rowhammer, which is the preferred attack vector for this type of threats.